Ticket 5338: Race conditions in key rotation
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Jun 23 18:13:31 EDT 2008
Nicolas Williams wrote:
> On Mon, Jun 23, 2008 at 04:09:56PM -0400, Jeffrey Altman wrote:
>> I am going to write a patch to introduce fail over to the master
>> for all tgs requests. I will add it to ticket 5338 and it can
>> then be evaluated for inclusion.
>
> Note: failover needs to not happen if a master is not defined...
>
> I know, it seems obvious...
>
> But also, it may be a good idea to make it optional, or to make failover
> be more of a "try another KDC" option.
>
> The client's behaviour shouldn't prevent/complicate the possibility of
> having kadmind instances running on all the KDCs nor multi-master
> replication.
In MIT Kerberos a KDC server running kadmind is not necessarily a
master. The master
notion is only defined if the master_kdc is explicitly configured. If
"master_kdc" is not
defined, then the failover to master functionality is not used.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080623/8a2ad2b0/attachment.bin
More information about the krbdev
mailing list